Mandiant APT1 Report: 25 Best Commentaries of the Last 12 Days

Two weeks ago today our team at Mandiant was feverishly preparing the release of our APT1 report.

In the twelve days that followed publication on the evening of Monday the 18th, I've been very pleased by the amount of constructive commentary and related research published online.

In this post I'd like to list those contributions that I believe merit attention, in the event you missed them the first time around.

These sorts of posts are examples of what the security community can do to advance our collective capability to counter digital threats.

Please note I avoided mass media accounts, interviews with Mandiant team members, and most general commentary.

They are listed in no particular order.

  1. Seth Hall (Bro): Watching for the APT1 Intelligence
  2. Jason Wood (SecureIdeas): Reading the Mandiant APT1 Report
  3. Chris Sanders: Making the Mandiant APT1 Report Actionable
  4. Symantec: APT1: Q&A on Attacks by the Comment Crew
  5. Tekdefense (NoVA Infosec): MASTIFF Analysis of APT1
  6. Chort Row (@chort0): Analyzing APT1 with Cuckoobox, Volatility, and Yara
  7. Ron Gula (Tenable): We have Microsoft Tuesday, so how long until we have Indicator Wednesday?
  8. OpenDNS Umbrella Labs:An intimate look at APT1, China’s Cyber-Espionage Threat
  9. Chris Lew (Mandiant): Chinese Advanced Persistent Threats: Corporate Cyber Espionage Processes and Organizations (BSidesSF, slides not online yet)
  10. Adam Segal: Hacking back, signaling, and state-society relations
  11. Snorby Labs: APT Intelligence Update
  12. Wendy Nather: Exercises left to the reader
  13. Brad Shoop (Mandiant): Mandiant’s APT1 Domain/MD5 Intel and Security Onion for Splunk
  14. Brad Shoop (Mandiant): Mandiant’s APT1 Domain/MD5 Intel and Security Onion with ELSA
  15. Kevin Wilcox: NSM With Bro-IDS Part 5: In-house Modules to Leverage Outside Threat Intelligence
  16. Cyb3rsleuth: Chinese Threat Actor Part 5
  17. David Bianco: The Pyramid of Pain
  18. Wesley McGrew: Mapping of Mandiant APT1 malware names to available samples
  19. Russ McRee: Toolsmith: Redline, APT1, and you – we’re all owned
  20. Jaime Blasco ( AlienVault Labs): Yara rules for APT1/Comment Crew malware arsenal
  21. Brandon Dixon: Mandiant APT2 Report Lure
  22. Seculert: Spear-Phishing with Mandiant APT Report
  23. PhishMe: How PhishMe addresses the top attack method cited in Mandiant’s APT1 report
  24. Rich Mogull (Securosis): Why China's Hacking is Different
  25. China Digital Times: Netizens Gather Further Evidence of PLA Hacking

M-Unition (Mandiant) published Netizen Research Bolsters APT1 Attribution.

I'd also like to cite Verizon for their comments and mention of IOCExtractor and Symantec for publishing their indicators via Pastebin after I asked about it.

Thank you to those who took the time to share what you found when analyzing related APT1 data, or when showing how to use APT1 indicators to do detection and response.


Unknown said…
Hi Richard,

Thanks for listing the Secure Ideas blog on this. I just wanted to make one correction, it was not written by me (Kevin Johnson) but by Jason Wood, one of our consultants.

Thanks Kevin, fixed.
mzet said…
Hi Richard,

I think that publishing SSL certificates used by the APT1 malware was great idea.

Could Mandiant release APT1 SSL certificates (from appendix F) in PEM format or at least provide fingerprints (md5, sha1) for published certificates? I would like to add capability to detect those certificates by the Nmap network scanner but to do this I need at least sha1 fingerprints. AFAIK converting certificates from text format (format in which APT1 certificates are now available) to PEM is quite complicated.

Thanks in advance.

Anonymous said…
And another I found useful.

Thanks Richard

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics